[May-31-2025] Daily Cybersecurity Threat Report

1. Executive Summary

The past 24 hours have revealed a dynamic and complex cybersecurity landscape, marked by significant incidents ranging from state-sponsored espionage to financially motivated cybercrime and ideologically driven hacktivism. A critical observation from the analysis of these events is the increasing convergence of traditional cybercrime and politically or ideologically motivated hacktivism. Threat actors are demonstrating a growing versatility, leveraging both financial incentives and geopolitical drivers to achieve their objectives, which blurs the traditional distinctions between these malicious activities. This trend is exemplified by extortion-as-a-service platforms that, despite claiming to be purely financially driven, have been observed deploying ransomware.

Another significant development observed is the persistent challenge in consistently identifying and attributing attacks to specific threat actors. Groups frequently rebrand, operate under multiple aliases, or emerge as seemingly new entities, making it difficult for defenders to maintain accurate intelligence and track their activities over time. This fluidity necessitates continuous monitoring and adaptive intelligence gathering.

Furthermore, despite the increasing sophistication of some threat actors and the advanced nature of certain attacks, a recurring vulnerability remains the exploitation of foundational security weaknesses. Weak passwords, unpatched vulnerabilities, and various forms of social engineering continue to serve as primary initial access vectors. This underscores a critical need for organizations to prioritize fundamental cybersecurity hygiene alongside advanced defensive measures, as even the most advanced adversaries often exploit basic security failures.

2. Daily Incident Overview

The following table provides a summary of the cybersecurity incidents reported or observed in the last 24 hours, offering a quick reference to key details.

Daily Incident Summary Table

Incident ID	Victim Organization	Attack Type	Primary Threat Actor	Brief Impact	Status
I-001	EducaCyL (Castilla y León Education System, Spain)	Data Breach	mafiatributaria	Claimed sale of sensitive data database	Access Offered
I-002	Unspecified Nuclear/Defense Organizations	Data Theft/Sale	Jack_back	Sale of nuclear equipment designs, submarine blueprints, employee PII	Data Offered
I-003	Fortinet Firewall Users	Zero-Day Exploit Sale	Unnamed Threat Actor	Alleged sale of unauthenticated RCE for Fortinet firewalls	Exploit Offered
I-004	Riverdale Country School (Bronx, NY)	Ransomware/Data Leak	RansomHub	42 GB sensitive data leaked (biographical, contact, medical)	Data Published
I-005	Dark Web Vendors & Buyers	Law Enforcement Operation	Various Dark Web Markets (Nemesis, Tor2Door, Bohemia, Kingdom)	270 arrests, EUR 184M seized, 2 tonnes drugs, 180+ firearms	Networks Disrupted
I-006	U.S. Critical Infrastructure	Malware Deployment	Unnamed Threat Actors (LummaC2)	Network infiltration, sensitive information exfiltration	Ongoing Threat
I-007	Indian Air Force, Army Schools, Critical Infrastructure	Cyber Warfare (Defacement, DDoS, Malware, Phishing, Ransomware, Data Theft)	Red Wolf Cyber (RipperSec), APT36, Team Insane PK, others	Websites defaced, service disruption, data theft	Ongoing Conflict
I-008	WhatsApp & Facebook India Users, Defense Personnel, Gov. Employees	Mass Data Breach/Sale	Unnamed Data Brokers	Sale of 1.2 Cr WhatsApp, 17 L Facebook users, 2.55 L defense personnel PII	Data Offered
I-009	Bank Central Asia (BCA), Indonesia	Alleged Data Breach	Bjorka	Claims of hacked accounts, leaked customer data (denied by BCA)	Claims Unverified
I-010	Ukrainian Gov/Defense, European/NA NGOs, Politicians	Cyber Espionage/Extortion	RomCom Group	Opportunistic ransomware/extortion, shift to intelligence collection	Ongoing Activities
I-011	Users in Palestine & Egypt	Mobile Espionage	AridViper	Deployment of AridSpy spyware via trojanized apps, data collection	Ongoing Campaign
I-012	Various Organizations	Extortion-as-a-Service	World Leaks	Data exfiltration, psychological leverage, some ransomware deployment	Ongoing Extortion
I-013	Gov/Edu websites, Israel, South Korea, Ukraine	Hacktivism (DDoS, Data Breach, Defacement)	RipperSec (Red Wolf Cyber)	Service disruption, reputational damage	Ongoing Hacktivism
I-014	US, Western countries, India, Ukraine, Israel, Yemen, France, UK, Canada, Iran, South America	Ransomware/Defacement	STORMOUS (Dragon RaaS)	System disruption, data exfiltration, financial demands	Ongoing Ransomware
I-015	Tokopedia, Microsoft GitHub, Wattpad, Pixlr, Pizza Hut AU, AT&T	High-Profile Data Breaches	ShinyHunters	Theft/sale of over 1 billion users’ PII	Ongoing Data Theft
I-016	Multiple (Indonesia, USA)	Data Leak/Breach	HIME666	Sale of SIM card data, data from Village of Palmetto Bay, Kota Depok Health Department	Data Offered
I-017	Unidentified Online Stores (Romania, Sweden)	Initial Access	0x1	Sale of admin access to e-commerce platforms	Access Offered
I-018	USA	Alert	Tunisian Maskers Cyber Force	Group claims to target USA	Ongoing Threat
I-019	Multiple (Indonesia)	Data Sale/Leak	UFO MARKET	Sale of Indonesian hospital patient records, Indonesian women’s data	Data Offered
I-020	Unidentified Tajikistan Casino	Data Leak	Powerpixel	Sale of casino player lead data	Data Offered
I-021	1,158 Gambling Sites	Data Leak	R0m4nce	Sale of gambling site source code	Data Offered
I-022	Unidentified Slovenia-based e-commerce store	Initial Access	Fordnox	Sale of administrative access	Access Offered
I-023	Possumus SRL, Yuexi County Public Employment and Talent Service Network	Defacement	Team 1722	Website defacement/takedown	Ongoing Defacement
I-024	My Admission Lead	Data Leak	TASIKMALAYA FUCK SYSTEM	Leak of database	Data Published
I-025	Kingway Technical Institute	Defacement	WOLF CYBER ARMY	Website defacement	Ongoing Defacement
I-026	Citizens of Paraguay	Data Sale	el_farado	Sale of 7.2 million citizen records	Data Offered
I-027	NUUO Inc.	Vulnerability	404403	Alleged sale of 0-day RCE exploit for Nuuo cameras	Exploit Offered
I-028	UNIVERSIDAD NACIONAL SAN CRISTOBAL DE HUAMANGA, National University of Cajamarca	Data Breach/Leak	t3rm1t0	Leak of student/academic information	Data Published
I-029	Synergy, Terra Caribbean, Adriatic Glass & Mirrors	Data Breach	Weyhro	Leak of financial, PII, corporate intellectual property	Data Published
I-030	Bank of America	Data Breach	Jack_back	Sale of 18.2 million customer records	Data Offered
I-031	Colegio La Obra (Argentina)	Data Leak	aero	Leak of 1,015 student records	Data Published
I-032	Multiple Countries	Data Leak	Rynon	Sale of spam leads for credit card fraud	Data Offered
I-033	Android Play Store	Malware	Arings	Sale of Android Play Store app loader	Malware Offered
I-034	The Military Media Department of the Izz ad-Din al-Qassam Brigades	Defacement	Al-Qassam Brigades Cyber	Website defacement	Ongoing Defacement
I-035	Philippine Economic Zone Authority	Initial Access	Lei	Sale of unauthorized login credentials	Access Offered

3. Detailed Incident Analysis

This section provides an in-depth analysis of each identified incident, incorporating available information on associated threat actors and their operational methodologies.

3.1. Incident: Education System Data Breach (EducaCyL)

The education system of Castilla y León, Spain, known as EducaCyL, was recently targeted in a data breach. On May 31, 2025, a threat actor operating under the alias “mafiatributaria” publicly claimed to be selling access to a sensitive database allegedly obtained from EducaCyL.¹ While specific details regarding the types of data compromised or the full extent of the breach were not immediately available, such incidents typically involve the personal information of students, faculty, and potentially their families.

This event highlights a recurring vulnerability within the education sector. Educational institutions, despite often having limited cybersecurity budgets compared to other industries, frequently hold a wealth of sensitive personal data. This makes them attractive targets for malicious actors seeking to acquire and monetize personal identifiable information (PII).² The emergence of new or less-documented threat actors, such as “mafiatributaria,” underscores the dynamic nature of the cybercrime ecosystem. New entities continuously appear, exploiting vulnerabilities to achieve financial gain, making continuous threat intelligence gathering and monitoring of underground forums essential for defenders.

Associated Links:

• Published URL: https://darkforums.st/Thread-I-m-selling-data-from-the-education-system-of-Castilla-y-Le%C3%B3n-Spain
• Screenshot: https://d34iuop8pidsy8.cloudfront.net/cb0d6994-44e6-4509-b664-2d7db2761a39.png

3.2. Incident: Nuclear and Defense Data Sale

A highly concerning development involves the offering for sale of extremely sensitive data related to nuclear manufacturing, defense-related manufacturing, and military nuclear information. A forum user identified as “Jack_back” has uploaded samples of this compromised data, which reportedly includes nuclear equipment design files, submarine blueprints, uranium mining videos and images, and employee personal information.³ This represents a severe compromise of national security and intellectual property, with potentially far-reaching implications.

The sale of such highly classified information on underground forums signifies a critical national security threat. Data of this nature is typically sought by nation-state actors for espionage or strategic advantage.⁴ The fact that it is being openly sold on a forum suggests a commercial market for sensitive intelligence, potentially indicating that nation-states or their proxies are outsourcing initial access or data acquisition to cybercriminal elements. This creates a complex web of motivations, blurring the lines between traditional espionage and financially driven cybercrime, and complicates attribution efforts for intelligence agencies. The specific methods used by “Jack_back” to obtain this data are not detailed, but given the nature of the targets, sophisticated intrusion techniques, supply chain compromises, or insider threats are probable vectors.

3.3. Incident: Fortinet Firewall Zero-Day Exploit Sale

On April 14, 2025, reports emerged of a threat actor attempting to sell an alleged zero-day exploit for an unauthenticated remote code execution (RCE) vulnerability in Fortinet firewalls on a dark web forum.⁶ If legitimate, this exploit would grant full control over vulnerable devices, enabling the extraction of critical information such as FortiOS configuration files, credentials, administrator account permissions, firewall policies, and two-factor authentication (2FA) status.⁶ This poses an extreme and immediate risk to any organization utilizing affected Fortinet devices for network security.

The alleged sale of a Fortinet zero-day exploit on the dark web represents a significant escalation in the capabilities available to cybercriminals. Zero-day vulnerabilities, particularly those affecting widely deployed network infrastructure like firewalls, are exceptionally valuable because they bypass existing security controls and known defenses. Their availability on dark web forums means that these powerful tools can be acquired by a broader spectrum of malicious actors, extending beyond state-sponsored groups to include sophisticated cybercriminals.⁷ This democratization of advanced attack capabilities inherently increases the overall risk for all organizations relying on the affected technology.

This development coincided with Fortinet’s release of an advisory regarding the active exploitation of known vulnerabilities in its FortiOS and FortiProxy products.⁶ This timing suggests a potential interplay: the new zero-day could be distinct from the publicly known CVEs but is being introduced amidst an environment of ongoing exploitation to maximize its perceived value and impact. Alternatively, the actor selling the zero-day may have discovered it during their involvement in exploiting the already known vulnerabilities. This scenario highlights the continuous cat-and-mouse game between defenders and adversaries, where patches for identified flaws are quickly followed by the discovery and weaponization of new, often more critical, vulnerabilities. The persistence methods observed in the exploitation of known CVEs, such as creating symbolic links to maintain access even after patching, further demonstrate the attackers’ advanced tradecraft.⁶

3.4. Incident: Riverdale Country School Ransomware Attack & Data Leak

Riverdale Country School, an elite private school in the Bronx, was recently subjected to a ransomware attack that resulted in a public data breach. The incident came to light on February 20, 2025, when the cybercriminal group RansomHub announced they had stolen the school’s data and initiated a countdown clock for ransom payment.¹¹ Upon the expiration of the deadline, on March 5, 2025, RansomHub published 42 gigabytes of sensitive data on their dark web site, including biographical information, contact details, and personal medical information of students, parents, and faculty.¹¹ The leaked data was reportedly viewed over 4,000 times within a short period.

This incident reinforces that ransomware groups continue to target diverse sectors, including educational institutions. This demonstrates that no industry is immune to these attacks, especially those that possess valuable personal data.² The targeting of an elite private school, while not a critical infrastructure entity, underscores that organizations holding sensitive personal information are attractive targets due to the potential for high-impact extortion and the likelihood of victims paying to avoid reputational damage.

The use of countdown clocks and subsequent public data leaks, commonly known as double extortion, remains a powerful psychological tactic employed by ransomware groups. Even when victims adhere to law enforcement guidance, such as the FBI’s recommendation not to pay ransoms, the threat actors proceed with public exposure of the compromised data.¹¹ This strategy maximizes reputational damage, increases pressure on the victim organization, and can lead to further downstream attacks like identity theft or fraud against affected individuals. This illustrates the evolving nature of ransomware, where the focus extends beyond mere data encryption to leveraging public shaming and data exposure as a primary extortion method.

3.5. Incident: Global Dark Web Crackdown (Operation RapTor)

A significant blow to the criminal underground was delivered through “Operation RapTor,” a global law enforcement operation coordinated by Europol. This operation resulted in 270 arrests of dark web vendors and buyers across ten countries, including the United States, Germany, the United Kingdom, France, South Korea, Austria, and the Netherlands.¹² The coordinated sweep successfully dismantled networks involved in trafficking drugs, weapons, and counterfeit goods. Substantial seizures included over EUR 184 million in cash and cryptocurrencies, more than 2 tonnes of drugs, over 180 firearms, 12,500 counterfeit products, and more than 4 tonnes of illegal tobacco.¹²

This operation, following “Operation SpecTor” in 2023 which led to 288 arrests, highlights the increasing effectiveness of coordinated international law enforcement efforts in disrupting dark web criminal networks.¹² These successes demonstrate that the illusion of anonymity often associated with the dark web is not absolute, and persistent intelligence sharing and cross-border cooperation are yielding significant results in apprehending malicious actors.

However, a critical observation from these successful takedowns is the adaptive nature of cybercrime. With traditional, large-scale dark web marketplaces facing increasing pressure and disruption, criminal actors are observed shifting their tactics towards smaller, single-vendor shops.¹² These individual seller sites are designed to avoid marketplace fees and minimize exposure, indicating that while large-scale disruptions are impactful, the underlying criminal activity adapts and disperses. This necessitates continuous adaptation of law enforcement strategies to counter evolving criminal methodologies, making the fight against cybercrime an ongoing and dynamic challenge rather than a series of one-time victories.

3.6. Incident: LummaC2 Malware Targeting US Critical Infrastructure

U.S. Critical Infrastructure sectors are under persistent threat from unnamed actors deploying LummaC2 malware. A joint Cybersecurity Advisory released by CISA and the Federal Bureau of Investigation on May 21, 2025, detailed the tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with this malware.¹³ LummaC2 is capable of infiltrating networks and exfiltrating sensitive information, posing a serious risk to national security and economic stability.¹³ Activity involving this malware has been observed consistently from November 2023 through May 2025, indicating a sustained campaign.

The continuous targeting of critical infrastructure with sophisticated malware like LummaC2 underscores the ongoing, high-priority threat to essential services and national security. Critical infrastructure entities are prime targets for nation-state actors due to their strategic importance.⁴ The capabilities of LummaC2, specifically network infiltration and sensitive information exfiltration, suggest objectives ranging from espionage and intelligence gathering to potential preparation for future disruptive or destructive attacks. This situation reinforces the urgent need for robust, proactive defenses and continuous monitoring within these vital sectors.

The widespread and prolonged deployment of LummaC2 malware by various threat actors suggests it may be a commercially available or widely utilized infostealer and loader. This exemplifies a broader trend in the “industrialization of cybercrime,” where specialized malware-as-a-service (MaaS) offerings are adopted by a diverse range of malicious actors.² The availability of such tools lowers the barrier to entry for conducting sophisticated attacks, enabling actors with varying levels of technical expertise to execute high-impact operations against critical targets.

3.7. Incident: India Cyberattacks During Operation Sindoor

During “Operation Sindoor” in April-May 2025, India faced a coordinated dual-front assault involving both physical drone swarms and extensive cyberattacks from Pakistan-aligned groups.¹⁴ The cyber offensive targeted a wide range of Indian entities, including Indian Air Force bases, the Army Nursing College, Army Public Schools, and critical digital infrastructure such as ports, airports, Indian Railways, BSNL, UPI, stock exchanges, and defense contractors.¹⁴ Attack types included website defacements, distributed denial-of-service (DDoS) attacks, malware deployment, phishing campaigns, ransomware attacks, and data theft, particularly in the energy sector.¹⁴ Websites like the Army Nursing College were defaced with inflammatory messages, indicating a strong propaganda element.¹⁴

This “Operation Sindoor” incident serves as a stark example of modern geopolitical conflict extending into the cyber domain. It demonstrates how state-backed and aligned hacktivist groups conduct coordinated, multi-pronged attacks as an integral part of broader military or political objectives.¹⁴ The involvement of various groups, including Red Wolf Cyber (a rebranding of RipperSec), APT36 (Transparent Tribe), Team Insane PK, and others, underscores the use of cyber warfare as a strategic tool to paralyze digital infrastructure and disseminate misinformation.¹⁴ This highlights the increasing role of cyber operations in international relations and conflict, demanding comprehensive national cybersecurity strategies.

The combination of physical (drone) and cyber attacks, alongside disinformation campaigns, showcases a sophisticated hybrid warfare strategy. This integration of kinetic and non-kinetic attacks signifies a deliberate approach by adversaries to leverage multiple domains simultaneously to achieve strategic objectives.¹⁴ The inclusion of misinformation campaigns further emphasizes the psychological and informational warfare aspects, aiming to demoralize the opposing side.¹⁵ This multi-domain approach necessitates a holistic defense strategy that considers and integrates responses to both physical and digital threats.

Furthermore, the participation of hacktivist groups like Red Wolf Cyber (RipperSec) in these state-backed operations indicates a growing trend of nation-states leveraging non-state actors as proxies in cyber warfare. Red Wolf Cyber, originally RipperSec, is a pro-Palestinian, pro-Islam hacktivist group, likely based in Malaysia, known for DDoS attacks, data breaches, and defacements using tools like MegaMedusa.¹⁷ They operate on Telegram and are part of the “Holy League alliance,” collaborating with over 40 other groups.¹⁸ Their involvement suggests that nation-states may coordinate with or exploit the shared ideological goals of hacktivist groups to augment their cyber capabilities and potentially provide plausible deniability, thereby complicating attribution and response efforts.

3.8. Incident: WhatsApp & Facebook India Data Leak

A massive data breach impacting millions of Indian users of major social media platforms, including 1.2 crore WhatsApp users and 17 lakh Facebook India users, was recently uncovered by Cyberabad Police.¹⁹ The compromised data also included sensitive personal information of 2.55 lakh defense personnel, government employees, students, jobseekers, car owners, and IT professionals.¹⁹ The data encompasses contact details, PAN card information, income, email addresses, phone numbers, and residential addresses.¹⁹ This information is actively being used for various cybercrimes, including smishing and vishing attacks, and poses significant national security implications.¹⁹

The arrests of seven data brokers, operating through three call centers in Noida, who subsequently sold this data to at least 100 fraudsters, illuminates a sophisticated and commercial ecosystem for stolen personal and sensitive information.¹⁹ This network aggregates diverse types of data and sells it for a wide array of cybercrime activities. The sheer variety of data types available for sale demonstrates that these brokers act as central nodes in the cybercrime supply chain, enabling subsequent attacks like identity theft, financial fraud, and even espionage.

The inclusion of data belonging to defense personnel and government employees in these mass leaks poses critical national security risks, extending beyond individual financial fraud. As highlighted by law enforcement, such data can be exploited for espionage, impersonation, and other serious offenses that jeopardize national security.¹⁹ This implies that seemingly disparate data leaks, when aggregated and analyzed, can provide adversaries with valuable intelligence for targeted attacks, social engineering, or even the recruitment of insiders.

A particularly concerning aspect of this incident is the low cost at which large datasets are being sold. For instance, data pertaining to 50,000 citizens was reportedly sold for as low as Rs 2,000 (approximately $24 USD).¹⁹ This commoditization of personal information significantly lowers the barrier to entry for aspiring cybercriminals, allowing them to acquire vast amounts of sensitive data with minimal investment. The widespread availability of such compromised data increases the overall threat surface for individuals and organizations, making them more susceptible to various forms of fraud and targeted attacks.

Associated Links:

• Published URL: https://darkforums.st/Thread-Selling-ACTIVE-1-MILLION-INDIAN-WHATSAPP-NUMBERS
• Screenshot: https://d34iuop8pidsy8.cloudfront.net/b76fc1e4-3c0d-487d-91fc-0549a7a33cfd.png

3.9. Incident: Bank Central Asia (BCA) Data Breach Claims

On February 6, 2025, reports surfaced online alleging a data breach at Bank Central Asia (BCA), a major Indonesian bank.²¹ An individual claiming to be the notorious hacker “Bjorka” asserted to have compromised BCA bank accounts and subsequently leaked customer data, providing screenshots as purported evidence.²¹ The threat actor XSVSHACKER also claimed to have leaked a database from BCA, including personal data such as full names, phone numbers, gender, locations, and possible ID numbers. However, BCA firmly denied these claims, labeling them as hoaxes and assuring the public that customer data remained secure due to robust security measures.²¹

This incident underscores the significant challenge of distinguishing between legitimate data breaches and false claims or “hoaxes” propagated by threat actors. Even unverified or fabricated claims by “notorious hackers” can cause substantial reputational damage, erode public trust, and generate widespread concern, regardless of whether a technical compromise actually occurred.²¹ This adds a layer of informational warfare to cyber threats, where the perception of a breach can be as damaging as the breach itself.

Furthermore, the stated motivations behind Bjorka’s claims appear contradictory. The hacker’s public message included a seemingly altruistic statement about the need for BCA to “prioritize security and protect user privacy,” yet reports also indicated that Bjorka was allegedly “selling BCA customer data on the dark web”.²¹ This inconsistency suggests a complex mix of motivations, potentially including a desire for notoriety, a pseudo-ethical hacktivist stance, or simply a deceptive cover for purely financial gain. Understanding these mixed motivations is crucial for predicting the behavior of certain threat actors and developing effective countermeasures that address both technical vulnerabilities and the psychological impact of such claims.

Associated Links:

• Published URL: https://darkforums.st/Thread-INDONESIA-DATABASE-BCA-CO-ID
• Screenshot: https://d34iuop8pidsy8.cloudfront.net/ff014e26-1970-4d5b-8f49-7504bdae664d.png

3.10. Incident: RomCom Group Cyber Espionage/Extortion

The RomCom group, also known by aliases such as CIGAR, Void Rabisu, and Storm-0798, has been observed actively conducting cyber operations since at least 2022.²³ While historically engaged in opportunistic ransomware and extortion operations, the group’s activities have notably shifted to include cyber espionage for intelligence collection.²³ Their targets include the Ukrainian government and defense sector, European and North American non-governmental organizations (NGOs), politicians, and participants in defense conferences.²³ This dual threat profile indicates a sophisticated adversary capable of pursuing both financial and state-sponsored objectives.

The evolution of the RomCom group from financially motivated cybercrime to cyber espionage represents a significant trend in the threat landscape. This demonstrates a blurring of lines where capabilities developed for financial gain, such as network intrusion and data exfiltration, are repurposed for strategic intelligence gathering.²³ This development potentially complicates attribution efforts and expands the pool of actors capable of conducting nation-state-level attacks, as financially driven criminals may be recruited by or transition into state-sponsored activities.

The group’s specific focus on the Ukrainian government, its defense sector, and entities involved in European and North American defense discussions highlights how threat actors align their operations with ongoing geopolitical conflicts. This strategic victimology directly ties the group’s technical capabilities to the broader geopolitical landscape, particularly the conflict in Ukraine.²³ It indicates that threat actors are highly opportunistic, adapting their targeting to current events to maximize their impact or acquire relevant intelligence that serves strategic interests.

3.11. Incident: AridViper Mobile Espionage Campaign

AridViper, a prominent state-sponsored cyber threat actor operating under aliases such as Desert Falcons, Two-tailed Scorpion, and APT-C-23, has been linked to an ongoing mobile espionage campaign.²⁴ This group, believed to have connections to Hamas, primarily targets Arabic-speaking countries, with a significant emphasis on Israel and Palestine.²⁴ Campaigns utilizing trojanized Android applications to deliver the AridSpy spyware have been observed since 2022, with three out of five identified campaigns remaining active.²⁵ The AridSpy malware is highly capable, collecting sensitive data such as call logs, text messages, and even capturing images using the front camera.²⁵

This AridViper campaign showcases the advanced capabilities of state-sponsored actors in mobile espionage. The group employs multi-stage malware and sophisticated social engineering techniques to bypass mobile device defenses.²⁵ The AridSpy malware, for instance, checks for the presence of security software and can perform data exfiltration based on specific events, such as a phone being locked or unlocked.²⁵ This level of technical sophistication in mobile platform exploitation and persistence represents a critical threat vector for targeted individuals, particularly those in sensitive roles.

A key aspect of their methodology is the use of fake but functional applications that impersonate legitimate services, including various messaging apps, job opportunity platforms, and even a Palestinian Civil Registry app.²⁵ These meticulously crafted impersonations exploit user trust, tricking individuals into downloading and installing malicious software. This tactic underscores the persistent effectiveness of social engineering, demonstrating that even security-conscious users can fall victim to convincing deceptions.

The direct connection of AridViper to Hamas and its consistent targeting of specific regions like Palestine, Egypt, and Israel underscores the direct application of cyber capabilities in geopolitical conflicts and intelligence gathering.²⁴ Hamas itself is known to engage in cyber espionage and computer network exploitation.²⁶ This directly links the technical prowess of a threat actor to the strategic objectives of a state-sponsored or state-aligned entity, illustrating how cyber operations have become an integral component of modern warfare and intelligence efforts in politically sensitive regions.

3.12. Incident: World Leaks Extortion Platform Activity

“World Leaks,” a new extortion platform, emerged in early 2025, launched by the operators of the Hunters International ransomware group.²⁷ Despite Hunters International having announced the end of their project in November 2024, they remained active, suggesting World Leaks operates as a side project or a backup plan.²⁷ The platform, which claims to be “extortion-only,” has, however, been observed to facilitate ransomware deployment on some victims’ systems, indicating a collaboration with the Secp0 ransomware group.²⁷ World Leaks operates as an Extortion-as-a-Service (EaaS) platform, providing affiliates with an exfiltration tool and maintaining four distinct platforms: a main data leak site (a “trophy wall”), a negotiation site for ransom payments, an “Insider” platform for journalists, and an affiliate panel.²⁷

World Leaks exemplifies the continued evolution and professionalization of the ransomware ecosystem towards an Extortion-as-a-Service (EaaS) model. This model, which provides affiliates with tools and infrastructure for data exfiltration and extortion, lowers the barrier to entry for cybercriminals, enabling a wider range of actors to participate in high-impact extortion campaigns without requiring deep technical expertise in ransomware deployment.²⁷ This mirrors the industrialization observed in the broader cybercrime landscape.²

The platform’s development of an “Insider platform for journalists” and its explicit threats to inform victims’ customers, partners, employees, and competitors highlight a sophisticated approach to maximizing pressure and reputational damage.²⁷ This strategy moves beyond mere data leaks, weaponizing information and leveraging public and stakeholder pressure to compel ransom payments. This represents a more advanced form of double extortion, where reputational harm is deliberately engineered as a primary leverage point.

A notable discrepancy exists between World Leaks’ stated “extortion-only” claim and the observed deployment of ransomware on some victim systems, confirmed through collaboration with the Secp0 ransomware group.²⁷ This contradiction could be a deliberate deceptive operational strategy to appear less aggressive during negotiations, or it might reflect the diverse and less controlled tactics employed by their affiliates. This ambiguity makes it more challenging for victim organizations to predict the full scope of an attack and for defenders to anticipate the group’s true capabilities and intent.

Associated Links:

• Published URL: https://worldleaksartrjm3c6vasllvgacbi5u3mgzkluehrzhk2jz4taufuid.onion/companies/5809730023
• Screenshot: https://d34iuop8pidsy8.cloudfront.net/0ca2cc57-50ef-403a-be37-73932ef6ecfe.png

3.13. Incident: RipperSec/Red Wolf Cyber Hacktivist Activity

RipperSec, a pro-Palestinian and pro-Islam hacktivist group, likely based in Malaysia, has been active since June 2023.¹⁷ The group rebranded as “Red Wolf Cyber” on March 12, 2025.¹⁸ Known for conducting DDoS attacks, data breaches, and defacements, RipperSec has claimed responsibility for 196 DDoS attacks, with a significant portion targeting Israel.¹⁷ In March 2025, they began targeting South Korea, advocating for an end to military support for

Works cited

1. Un supuesto hacker amenaza con tener miles de datos de estudiantes y familiares de la web de Educacyl | Radio Valladolid | Cadena SER, accessed May 31, 2025, https://cadenaser.com/castillayleon/2025/05/31/un-supuesto-hacker-amenaza-con-tener-miles-de-datos-de-estudiantes-y-familiares-de-la-web-de-educacyl-radio-valladolid/
2. How Threat Actors Industrialised Cybercrime in 2024 – Cyber Magazine, accessed May 31, 2025, https://cybermagazine.com/articles/how-threat-actors-industrialised-cybercrime-in-2024
3. Weekly Darkweb in May W2 – S2W, accessed May 31, 2025, https://www.s2w.inc/en/resource/detail/831
4. How Microsoft names threat actors – Unified security operations, accessed May 31, 2025, https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-threat-actor-naming
5. What is a Cyber Threat Actor? | CrowdStrike, accessed May 31, 2025, https://www.crowdstrike.com/en-us/cybersecurity-101/threat-intelligence/threat-actor/
6. Threat Actor Allegedly Selling Fortinet Firewall Zero-Day Exploit …, accessed May 31, 2025, https://www.securityweek.com/threat-actor-allegedly-selling-fortinet-firewall-zero-day-exploit/
7. Top Cybercrime Forums to Monitor in 2023 – Flare, accessed May 31, 2025, https://flare.io/learn/resources/blog/top-cybercrime-forums/
8. Top 10 Dark Web Forums Dominating Cybercrime – Threat Intelligence Lab, accessed May 31, 2025, https://threatintelligencelab.com/blog/top-10-dark-web-forums-dominating-cybercrime/
9. This Cybercrime Forum Is Full Of Hackers – YouTube, accessed May 31, 2025, https://www.youtube.com/watch?v=0-nAGIIYbL0
10. Selling Ransomware Breaches: 4 Trends Spotted on the RAMP Forum | Rapid7 Blog, accessed May 31, 2025, https://old.rapid7.com/blog/post/2024/08/20/selling-ransomware-breaches-4-trends-spotted-on-the-ramp-forum/
11. Hackers leak sensitive data from elite Bronx private school after ransomware attack, accessed May 31, 2025, https://www.bxtimes.com/hackers-leak-sensitive-data-from-elite-bronx-private-school-after-ransomware-attack/
12. 270 arrested in global dark web crackdown targeting online drug and criminal networks, accessed May 31, 2025, https://www.europol.europa.eu/media-press/newsroom/news/270-arrested-in-global-dark-web-crackdown-targeting-online-drug-and-criminal-networks
13. Threat Actors Target U.S. Critical Infrastructure with LummaC2 Malware | CISA, accessed May 31, 2025, https://www.cisa.gov/news-events/alerts/2025/05/21/threat-actors-target-us-critical-infrastructure-lummac2-malware
14. When the sky fell silent and the web lit up: Inside India’s fight against hybrid warfare, accessed May 31, 2025, https://m.economictimes.com/news/defence/airspace-to-cyberspace-how-india-fought-swarms-of-drones-wave-of-misinformation-during-conflict/articleshow/121165746.cms
15. Airspace to cyberspace: How India fought swarms of drones, wave of misinformation during conflict – Deccan Herald, accessed May 31, 2025, https://www.deccanherald.com/india/airspace-to-cyberspace-how-india-fought-swarms-of-drones-wave-of-misinformation-during-conflict-3540408
16. How pro-India hackers defended country during cross-border …, accessed May 31, 2025, https://timesofindia.indiatimes.com/city/hyderabad/how-pro-india-hackers-defended-country-during-cross-border-cyberattacks-amid-op-sindoor/articleshow/121385229.cms
17. RipperSec (Threat Actor) – Malpedia, accessed May 31, 2025, https://malpedia.caad.fkie.fraunhofer.de/actor/rippersec
18. Quick Overview of Recent DDoS Attacks Targeting South Korea – S2W, accessed May 31, 2025, https://s2w.inc/en/resource/detail/798
19. Massive data breach targeting 1.2 crore WhatsApp, 17 lakh Facebook India users unearthed: Details – Technology News | The Financial Express, accessed May 31, 2025, https://www.financialexpress.com/life/technology-massive-data-breach-targeting-1-2-crore-whatsapp-17-lakh-facebook-india-users-unearthed-details-3021310/
20. WhatsApp details of 500 million users ‘on sale’: How to check if your data has been leaked, accessed May 31, 2025, https://timesofindia.indiatimes.com/gadgets-news/whatsapp-data-of-500-million-users-on-sale-how-to-check-if-your-data-has-been-leaked/articleshow/95815147.cms
21. BCA Denies Data Breach After Bjorka Hacking Claims – Jakarta Globe, accessed May 31, 2025, https://jakartaglobe.id/tech/bca-denies-data-breach-after-bjorka-hacking-claims
22. BCA Denies Data Breach After Bjorka Hacking Claims – DPEX Network, accessed May 31, 2025, https://www.dpexnetwork.org/news/view/3uss8fpVA3zWA4hpCL5ok7
23. Cybercrime turned cyber espionage: the many faces of the RomCom group – Virus Bulletin, accessed May 31, 2025, https://www.virusbulletin.com/conference/vb2024/abstracts/cybercrime-turned-cyber-espionage-many-faces-romcom-group/
24. Threat Actor Profile: AridViper – SOCRadar® Cyber Intelligence Inc., accessed May 31, 2025, https://socradar.io/threat-actor-profile-aridviper/
25. Arid Viper Launches Mobile Espionage Campaign with AridSpy …, accessed May 31, 2025, https://thehackernews.com/2024/06/arid-viper-launches-mobile-espionage.html
26. HAMAS flag – National Counterterrorism Center | Terrorist Groups, accessed May 31, 2025, https://www.dni.gov/nctc/terrorist_groups/hamas.html
27. World Leaks: An Extortion Platform – Lexfo’s security blog, accessed May 31, 2025, https://blog.lexfo.fr/world-leaks-an-extortion-platform.html